From 79f70d9d3f4487165ca407c0bd891e404cf5e9d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Thu, 15 Feb 2024 19:20:48 +0100
Subject: [PATCH] Revert "posix_acls.c: prefer capabilities over become_root"

This reverts commit 1edf9ecaf56f3312e199e633bff0804243042e33.
---
 source3/smbd/posix_acls.c | 40 +++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/source3/smbd/posix_acls.c b/source3/smbd/posix_acls.c
index 530056175e0..d275bdb908b 100644
--- a/source3/smbd/posix_acls.c
+++ b/source3/smbd/posix_acls.c
@@ -2944,11 +2944,11 @@ static bool set_canon_ace_list(files_struct *fsp,
 				  "file [%s] primary group.\n",
 				  fsp_str_dbg(fsp));
 
-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			become_root();
 			sret = SMB_VFS_SYS_ACL_SET_FD(fsp,
 						      the_acl_type,
 						      the_acl);
-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			unbecome_root();
 			if (sret == 0) {
 				ret = true;
 			}
@@ -3441,12 +3441,12 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
 
 		if (has_take_ownership_priv || has_restore_priv) {
 			status = NT_STATUS_OK;
-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			become_root();
 			ret = SMB_VFS_FCHOWN(fsp, uid, gid);
 			if (ret != 0) {
 				status = map_nt_error_from_unix(errno);
 			}
-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			unbecome_root();
 			return status;
 		}
 	}
@@ -3480,13 +3480,13 @@ static NTSTATUS try_chown(files_struct *fsp, uid_t uid, gid_t gid)
 	}
 
 	status = NT_STATUS_OK;
-	set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	become_root();
 	/* Keep the current file gid the same. */
 	ret = SMB_VFS_FCHOWN(fsp, uid, (gid_t)-1);
 	if (ret != 0) {
 		status = map_nt_error_from_unix(errno);
 	}
-	drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+	unbecome_root();
 
 	return status;
 }
@@ -3707,12 +3707,12 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 
 	if (acl_perms && file_ace_list) {
 		if (set_acl_as_root) {
-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			become_root();
 		}
 		ret = set_canon_ace_list(fsp, file_ace_list, false,
 					 &fsp->fsp_name->st, &acl_set_support);
 		if (set_acl_as_root) {
-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			unbecome_root();
 		}
 		if (acl_set_support && ret == false) {
 			DEBUG(3,("set_nt_acl: failed to set file acl on file "
@@ -3727,13 +3727,13 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 	if (acl_perms && acl_set_support && fsp->fsp_flags.is_directory) {
 		if (dir_ace_list) {
 			if (set_acl_as_root) {
-				set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+				become_root();
 			}
 			ret = set_canon_ace_list(fsp, dir_ace_list, true,
 						 &fsp->fsp_name->st,
 						 &acl_set_support);
 			if (set_acl_as_root) {
-				drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+				unbecome_root();
 			}
 			if (ret == false) {
 				DEBUG(3,("set_nt_acl: failed to set default "
@@ -3751,11 +3751,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 			 */
 
 			if (set_acl_as_root) {
-				set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+				become_root();
 			}
 			sret = SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
 			if (set_acl_as_root) {
-				drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+				unbecome_root();
 			}
 			if (sret == -1) {
 				if (acl_group_override_fsp(fsp)) {
@@ -3765,10 +3765,10 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 						 "Override delete_def_acl\n",
 						 fsp_str_dbg(fsp)));
 
-					set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+					become_root();
 					sret =
 					    SMB_VFS_SYS_ACL_DELETE_DEF_FD(fsp);
-					drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+					unbecome_root();
 				}
 
 				if (sret == -1) {
@@ -3786,14 +3786,14 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 
 	if (acl_set_support) {
 		if (set_acl_as_root) {
-			set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			become_root();
 		}
 		store_inheritance_attributes(fsp,
 				file_ace_list,
 				dir_ace_list,
 				psd->type);
 		if (set_acl_as_root) {
-			drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+			unbecome_root();
 		}
 	}
 
@@ -3820,11 +3820,11 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 				 fsp_str_dbg(fsp), (unsigned int)posix_perms));
 
 			if (set_acl_as_root) {
-				set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+				become_root();
 			}
 			sret = SMB_VFS_FCHMOD(fsp, posix_perms);
 			if (set_acl_as_root) {
-				drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+				unbecome_root();
 			}
 			if(sret == -1) {
 				if (acl_group_override_fsp(fsp)) {
@@ -3834,9 +3834,9 @@ NTSTATUS set_nt_acl(files_struct *fsp, uint32_t security_info_sent, const struct
 						 "Override chmod\n",
 						 fsp_str_dbg(fsp)));
 
-					set_effective_capability(DAC_OVERRIDE_CAPABILITY);
+					become_root();
 					sret = SMB_VFS_FCHMOD(fsp, posix_perms);
-					drop_effective_capability(DAC_OVERRIDE_CAPABILITY);
+					unbecome_root();
 				}
 
 				if (sret == -1) {
-- 
2.34.1